TechSpot

Weird Pop-up!

By Sake
Aug 11, 2006
  1. Hey! About 3 days ago, I installed Ad-Aware SE Professional, I ran Ad-Watch and found out that I did a bad move as the program started, being the computer newb that I am, I had no idea what was happening. So I turned it to "Automatic." After that, I found out that my entire desktop and Start menu programs all turned into ".lnk" files. So I got on the internet and searched Google, and found some answers (importing some files into registry). After all that, I restarted my computer, but right before it hits the login page, I'll get a weird windows pop-up with some foreign letters (I think it's Korean?). I click "Ok" at the bottom and everything goes fine, but all my system tray icons don't show anymore. This happens every time I boot my computer.

    Also, I'm experiencing some major lag now. I don't know if it's because of the new hard drive that I installed, but almost everything lags like hell now. My browser will lag, videos will be choppy, etcetera. But my new hard drive is 2x worse.

    Lastly, there'll some times be days that my internet just totally doesn't work. On my router & modem, the buttons will still be flashing, but I can't use the internet at all. This has been happening even before the installation of the hard drive and before the "weird pop-up."

    So, yeah. Sorry for the long read. I've been using computers for a while, but I'm basically under still a beginner, so step by step instructions would be awesome.

    Here's some basic information:

    OS:
    Windows XP
    Model: Dell Dimension 4550
    Router: D-Link (DI-624)
    Firewall: Norton 2006
    Antivirus: Norton 2006

    P.S. I'd love to show you a picture of the error I get right before that login screen, but "Print Screen/SysRq" won't let me take a picture of it. I'll press the button, go into Paint when I get logged in, but there's nothing to paste.

    Thanks in advanced!
     
  2. Peddant

    Peddant TS Rookie Posts: 1,446

    Spyware.Go HERE follow the instructions,then post an HJT log in the Security and the Web forum.
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Peddant is quite right as usual.

    Once you`ve followed the instructions, post a fresh HJT log into this thread, I`ll take a look and advise.

    Regards Howard :)
     
  4. Sake

    Sake TS Rookie Topic Starter Posts: 43

    Sorry for the late reply. I did everything in that thread, the online scanners and all the programs, but nothing's changed. System tray icons are still missing, still a "weird" pop-up right before the login screen, etcetera.

    Thanks! :)
     
  5. sw123

    sw123 TS Rookie Posts: 595

    These all look wierd:

    O4 - HKLM\..\Run: [aXatFLi/pWINDOWS\o?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [aXaiL{o/a$INDO\\o?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [aXaiL{o/a?aa???C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [s*aiL{o/a?aa??,C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [s*aii{{oa?o???,C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [s=Mii{{a$?aa???C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [Is*WINDOWS\g{oo?uexC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [Is*WINDOWS\g???_C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [s=Mii{{aF??a???C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [s=Miia$aF??a?·??C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [C:\WP?OWS\mgjwie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}\W>?OWS\mga$o?;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [C:\WP?OWS\ma$wie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}\W>?OWS\,a\?;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [C>?P?OWS\ma$wie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}\W>?OWS\,a?aa?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}\WINDOWS\mga$o?.exC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}\WINDOWS\ma$?aa?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [C>?P?OWS\mgjwie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}i{opWINDO\,,#?nC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}i{oiINDO\,,#?nC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [C:\WINDOW1<m·?a?aC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [>?WP?OWS\o?jwie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [>?WP?OWS\o?jwi?yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [>?WP?OWS\o?o?ia?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [>?WP?OWS\o?o?ia?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [^??? ?9??*?M·?a?:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}?>?OWS\mga$o?;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}?>?OWS\,a\?;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe

    See the odd characters? I bet its connected to the spyware.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    ISTsvc

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    mgjwie.exe
    istsvc.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [I}\WINDOWS\ga$o?uexC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [aXatFLi/pWINDOWS\o?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [aXaiL{o/a$INDO\\o?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [aXaiL{o/a?aa???C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [s*aiL{o/a?aa??,C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [s*aii{{oa?o???,C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [s=Mii{{a$?aa???C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [Is*WINDOWS\g{oo?uexC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [Is*WINDOWS\g???_C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [s=Mii{{aF??a???C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [s=Miia$aF??a?·??C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [C:\WP?OWS\mgjwie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}\W>?OWS\mga$o?;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [C:\WP?OWS\ma$wie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}\W>?OWS\,a\?;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [C>?P?OWS\ma$wie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}\W>?OWS\,a?aa?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}\WINDOWS\mga$o?.exC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}\WINDOWS\ma$?aa?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [C>?P?OWS\mgjwie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}i{opWINDO\,,#?nC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}i{oiINDO\,,#?nC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [C:\WINDOW1<m·?a?aC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [>?WP?OWS\o?jwie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [>?WP?OWS\o?jwi?yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [>?WP?OWS\o?o?ia?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [>?WP?OWS\o?o?ia?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [^??? ?9??*?M·?a?:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}?>?OWS\mga$o?;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}?>?OWS\,a\?;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe


    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\ISTsvc
    C:\WINDOWS\mgjwie.exe

    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Sake only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Sake

    Sake TS Rookie Topic Starter Posts: 43

    Thanks for the quick reply, but I was wondering how I figure out if anything has to do with "ISTsvc." Or did you just mean to find it in Add or Remove Programs and delete it?
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    C:\Program Files\ISTsvc\istsvc.exe As you can see ISTsvc is listed in your programme files. Therefore it should be in your add remove programmes list in your control panel. You should try to uninstall it from add remove programmes if you can.

    Regards Howard :)
     
  9. Sake

    Sake TS Rookie Topic Starter Posts: 43

    OMG!! I followed your steps, but when I tried to shut down from Safe Mode, it freezes. Now it takes 2x longer to get into Safe Mode and it freezes when I try to exit Safe Mode. I even let it sit for 30 minutes, it just doesn't move. So I logged in from "normal" mode, but when I get in, I get a message that says "You may be a victim of software counterfeiting." My Windows became un-validated. -_-'' What happened? :evil: And my Wallpaper is gone too. -_-

    [​IMG]

    Here's my new log:
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    All the nasty entries are still there.

    Download the Pocket killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    mgjwie.exe
    istsvc.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

    O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


    O4 - HKLM\..\Run: [I}\WINDOWS\ga$o?uexC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [aXatFLi/pWINDOWS\o?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [aXaiL{o/a$INDO\\o?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [aXaiL{o/a?aa???C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [s*aiL{o/a?aa??,C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [s*aii{{oa?o???,C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [s=Mii{{a$?aa???C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [Is*WINDOWS\g{oo?uexC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [Is*WINDOWS\g???_C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [s=Mii{{aF??a???C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [s=Miia$aF??a?·??C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [C:\WP?OWS\mgjwie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}\W>?OWS\mga$o?;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [C:\WP?OWS\ma$wie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}\W>?OWS\,a\?;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [C>?P?OWS\ma$wie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}\W>?OWS\,a?aa?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}\WINDOWS\mga$o?.exC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}\WINDOWS\ma$?aa?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [C>?P?OWS\mgjwie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}i{opWINDO\,,#?nC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}i{oiINDO\,,#?nC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [C:\WINDOW1<m·?a?aC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [>?WP?OWS\o?jwie;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [>?WP?OWS\o?jwi?yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [>?WP?OWS\o?o?ia?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [>?WP?OWS\o?o?ia?C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [^??? ?9??*?M·?a?:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}?>?OWS\mga$o?;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe
    O4 - HKLM\..\Run: [I}?>?OWS\,a\?;yxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mgjwie.exe

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\mgjwie.exe

    Once your system has rebooted, turn system restore back on and post a fresh HJT log.

    Regards Howard :)
     
  11. Sake

    Sake TS Rookie Topic Starter Posts: 43

    Well, I followed your instructions, but I got an error after I clicked the "Delete File" button: [​IMG]

    In the end I had to manually shut down and my computer froze AGAIN. Once again, I even let it sit for 30 minutes, but it didn't move. :(

    And I still don't know how to solve the problem that my computer un-validated my Windows: [​IMG]

    Thanks for the help. :)
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Sometimes Killbox does freeze instead of rebooting. It`s perfectly ok to manually restart when this happens.

    Run HJT and click on the config button, select the backups button and look for any 016-DPF entries that are from Microsoft or Windows. Select them by placing a tick in the box next to those entries and click on the restore button. Reboot your computer.

    Post a fresh HJT log.

    Regards Howard :)
     
  13. Sake

    Sake TS Rookie Topic Starter Posts: 43

    Should I do this in Safe Mode?
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    If you`re referring to restoring the 016-DPF entries, you can do it from normal mode.

    Regards Howard :)
     
  15. Sake

    Sake TS Rookie Topic Starter Posts: 43

    I deleted all of the backups that HijackThis made. <_<
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Oh no! Whatever possessed you to do that?

    The only thing I can suggest, is you run Windows updates and hope that sorts it out.

    Let me know the outcome.

    Regards Howard :)
     
  17. Sake

    Sake TS Rookie Topic Starter Posts: 43

    Yay! My Windows is validated again. :)

    But I'm still getting the pop-up when I start up the computer, the system tray icons (except Norton) are still gone. :(

    Thanks!
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s good news.

    Please post a fresh HJT log and I`ll see what I can do.

    If that infection is still there, I`ll have to do some research on how to get rid of it.

    Regards Howard :)
     
  19. Sake

    Sake TS Rookie Topic Starter Posts: 43

    Thanks. :)
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    This isn`t looking good.

    I can find absolutely no info for mgjwie.exe.

    Try the following.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please copy/paste the content of c:\avenger.txt into your reply, when it reboots and post a fresh HJT log.

    Regards Howard :)
     
  21. Sake

    Sake TS Rookie Topic Starter Posts: 43

    I did exactly what you said, but when the computer started, there was no command window. And when I check C:, there was nothing in the Avenger folder and no Avenger.txt.
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Post a fresh HJT log.

    If those entries are still there, you may need to think about backing up your important data and doing a reformat.

    I`m still trying to figure out a way to get this off your system, but I`m running out of ideas.

    Regards Howard :)
     
  23. Sake

    Sake TS Rookie Topic Starter Posts: 43

    Wow, and I just got a new hard drive. -_-;;
     
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode and look for this folder C:\WP?OWS the ? mark could be any random letter/number etc. If you find it, try and delete it. Let me know the results.

    Regards Howard :)
     
  25. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`ve managed to find what maybe a solution, the operative word being maybe.

    Go HERE and download and run the istbar removal tool. Follow the instructions exactly.

    Let me know how it goes and post a fresh HJT log.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...